All Policies

Check PodDisruptionBudget minAvailable

When a Pod controller which can run multiple replicas is subject to an active PodDisruptionBudget, if the replicas field has a value equal to the minAvailable value of the PodDisruptionBudget it may prevent voluntary disruptions including Node drains which may impact routine maintenance tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have a matching PodDisruptionBudget to ensure these two values do not match.

Policy Definition

/other/pdb-minavailable/pdb-minavailable.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: pdb-minavailable-check
 5  annotations:
 6    policies.kyverno.io/title: Check PodDisruptionBudget minAvailable
 7    policies.kyverno.io/category: Other
 8    kyverno.io/kyverno-version: 1.9.0
 9    kyverno.io/kubernetes-version: "1.24"
10    policies.kyverno.io/subject: PodDisruptionBudget, Deployment, StatefulSet
11    policies.kyverno.io/description: >-
12      When a Pod controller which can run multiple replicas is subject to an active PodDisruptionBudget,
13      if the replicas field has a value equal to the minAvailable value of the PodDisruptionBudget
14      it may prevent voluntary disruptions including Node drains which may impact routine maintenance
15      tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have
16      a matching PodDisruptionBudget to ensure these two values do not match.      
17spec:
18  validationFailureAction: audit
19  background: false
20  rules:
21    - name: pdb-minavailable
22      match:
23        any:
24          - resources:
25              kinds:
26                - Deployment
27                - StatefulSet
28      preconditions:
29        all:
30          - key: "{{request.operation || 'BACKGROUND'}}"
31            operator: Equals
32            value: CREATE
33      context:
34        - name: minavailable
35          apiCall:
36            urlPath: "/apis/policy/v1/namespaces/{{request.namespace}}/poddisruptionbudgets"
37            jmesPath: "items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | [0] | spec.minAvailable || `0`"
38      validate:
39        message: >-
40          The matching PodDisruptionBudget for this resource has its minAvailable value equal to the replica count
41          which is not permitted.          
42        deny:
43          conditions:
44            any:
45              - key: "{{ request.object.spec.replicas }}"
46                operator: Equals
47                value: "{{ minavailable }}"
Create policy issue